directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hans <hml...@gmail.com>
Subject Re: HI
Date Mon, 09 Jul 2007 14:29:39 GMT
Hi

> hopefully, there is no way to get the password from its encrypted form
> : this would be a major security breach !
>

Well actually there is, but you need to do some guesswork ;-)
http://en.wikipedia.org/wiki/Rainbow_table
http://www.antsight.com/zsl/rainbowcrack/
http://rainbowtables.shmoo.com/

Don't know if the password hash in ApacheDS is salted, though.

The password hash should not be possible to extract or query by other  
means
than backup, not through a query.

If you are allowed to do a search like
$ ldapsearch -b o=some.root -s sub 'userPassword="{md5} 
b4b5835f03bd6748e0cc25790d6f3498"' dn
it would render you all objects with the attribute userPassword equal to
"the secret password", which may not be such a good idea.

iPlanet DS 4.x allowed searches on ueserPassword attribute with  
directory manager privs
I found out. Have not tested if this works with ApacheDS.

/h
---
Hans
mailto:hmlhdr@gmail.com




Mime
View raw message